A large-scale phishing campaign targets WooCommerce administrators to take control.

Overview

Recently, a large-scale phishing campaign targeted WooCommerce users with fake security alerts urging them to download a "critical patch" to create a WordPress backdoor on their site.

When users download it, the update secretly installs a malicious plugin that creates a hidden admin account on their site, downloads shell payloads, and maintains persistent access.

The campaign, discovered by Patchstack researchers, appears to be a continuation of a similar operation in late 2023 targeting WordPress users.

Campaign Details

Initially, the emails target WordPress administrators by impersonating the popular e-commerce plugin. Hackers use the address 'help@security-woocommerce[.]com.' to carry out the campaign. The email contains a warning about a critical vulnerability, which in reality does not exist. Hackers warn that to protect their website, victims need to download the update patch and follow the steps in the email.

When victims click on "DOWNLOAD PATH," they are redirected to a fake website “woocommėrce[.]com“. Hackers cleverly use the letter “ė” instead of “e.” If victims aren't paying attention, it's very hard to notice.

As soon as the victim installs the fake security patch ("AuthByPass-upDate-3197-id.zip"), it creates a randomly named Cronjob that runs every minute to try to create a new admin-level user.

Then the login information created above is sent via the GET protocol to “woocommerce-services[.]com/wpapi.“. After that, the attacker deploys hidden payloads. The web shells installed by the attackers through the malicious plugin completely control the compromised server account or web hosting. This allows the attacker to perform a range of dangerous actions:

• Redirect users to malicious websites

• Conduct DDoS attacks

• Steal payment information

• Launch extortion or ransomware attacks

Summary

This is one of the dangerous phishing campaigns because it targets users' trust in WordPress and WooCommerce. With its sophisticated form and ability to take control of the entire system, this campaign can cause serious damage to data, reputation, and finances.

Always be cautious of unexpected security update emails and enhance your website's security capabilities today.

Recommendations

1. Absolutely do not install plugins from unfamiliar emails

   • WordPress or WooCommerce never sends patches as attachments or separate download links via email.

   • If you receive an email warning about a vulnerability, check the information from the official site:

     • wordpress.org/news

     • woocommerce.com/blog

2. Only download plugins and updates from official sources

3. Check and remove suspicious plugins or accounts

   • Remove the plugin named wpress-security-wordpress if found.

   • Check and delete any unfamiliar user accounts, especially those named wpsecuritypatch.

   • Find and delete the file wp-autoload.php in the root directory if it is not a valid system file.

4. Install security plugins and scan for malware regularly

   • Use one of the following security plugins:

     • Wordfence

     • Sucuri Security

     • iThemes Security

5. Enable two-factor authentication (2FA)

   • Enable 2FA for all administrator accounts to prevent unauthorized logins.

   • You can use plugins like WP 2FA or Google Authenticator.

IOC

1. Domain

   • woocommėrce.com

   • en-gb-wordpress.org

   • wpgate.zip

2. Hash

   • ffd5b0344123a984d27c4aa624215fa6452c3849522803b2bc3a6ee0bcb23809

Reference

1. WooCommerce Phishing Attack: Fake Vulnerability Exploits Store Owners

2. WooCommerce admins targeted by fake security patches that hijack sites

3. WooCommerce Users Targeted by Fake Patch Phishing Campaign Deploying Site Backdoors